If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

I can't stress how important that factor is also. It dosen't make a difference how much you or your company uses on security software and/or hardware if the end user dosen't know what it's for and how to use it. So far no one has posted on how they would do a security audit and I'm still looking forward to hearning everyone's different procedures and methods of doing so.

Any tips on raising conscience among normal users? At my last admin job people screamed for firewalls but opened al attachments, left their computers (with static ip) on over night and put their passwords on post-its on their computer screen.
After sending out a general security mail two out of the nine that had passwords on their screens removed it. No-one bothered to turn of their computer. I donīt know about the attachments since I wasnīt around to see any more viruses strike.
What is a person to do with middle-aged academic researchers?!? Any ideas?

Dear Santa, I liked the mp3 player I got but next christmas I want a SA-7 surface to air missile

two things

(some may recognize this from 'Hacking Exposed', a very good book on the topic which I highly reccommend.

its also important to remember that when you get any info, you should write it down as it may become important later. The password for the admin on one machine, might also be the admin password on another. If you can tie an individual to a username, you will probably see passwords recycled, and if you can get the info knowing which users might be less likely to use strong passwords might also be helpful.

2. Another thing to bear in mind is just how important it is to verify permission to run any scans or exploits on a system. Although running scans without permission is not strictly illegal, it can really irritate an unsuspecting sysadmin. Further if you run an exploit on an IP that you got from your footprinting, but for some reason that IP doesn't belong to the client, you run some serious risks. So, after you've gotten the IP range, you should verify it with the client and then proceed.

Re: two things

Originally posted by mstrickland Although running scans without permission is not strictly illegal, it can really irritate an unsuspecting sysadmin.

In some countries it is strictly illegal to perform these scans.
For instance: in Belgium is a law that can be used to convict people who did scans on the assumption that they were stealing electricity from some1 else. This law is used to catch some crackers in the past... indeed when you perform a scan, the other box responds (and this is a minimal power consumtion in the eyes of the judge and therefor a cost for the 'attacked' one).
there is also a cost for the admin who has to read the logs, if there is prove that your actions caused longer logs than normal you could be convicted on that base, cause there is a certain cost involved.

Good to know

Sorry for the incomplete info, as I've only worked in the US thus far, that's the only set of law with which I'm familiar. So its good to hear about the subtleties of rulings from other countries. What other interesting legal issues have people come across in this area?

Originally posted by Pooh-Bear Any tips on raising conscience among normal users? At my last admin job people screamed for firewalls but opened al attachments, left their computers (with static ip) on over night and put their passwords on post-its on their computer screen.
After sending out a general security mail two out of the nine that had passwords on their screens removed it. No-one bothered to turn of their computer. I donīt know about the attachments since I wasnīt around to see any more viruses strike.
What is a person to do with middle-aged academic researchers?!? Any ideas?

You need to probably send daily or every other day reminders and tips. One place I worked at did that. The number of "sticky notes" disappeared as a result. Make the reminders fun and interesting to read rather than something bothersome. What users need to be reminded is that security is not necessarily a chore or a pain but can be part of the day-to-day routines.

Also, getting users to sign agreements in regards to security (usually referred to as an email policy or acceptable use policy) can be helpful. That puts part of the responsibility on them.